After writing about
TJX Companies Inc.'s admission that at least
45.7 million credit and debit cards were stolen over an 18-month
period by hackers who managed to penetrate its network, I
scoured the blogosphere to see what security experts had to say
about this latest development.
In the process, I found a couple of interesting blog entries
about how data breaches can actually be good for companies if they
learn the right lessons from it and deal with the aftermath as
openly and honestly as possible.
Unfortunately for TJX, nobody seems to be suggesting that they
are traveling along the path to redemption.
The Framingham, Mass.-based retail giant finally gave a tally of
the damage in a
regulatory filing with the Securities and
Exchange Commission (SEC) Wednesday. Along with the
45.7-million-estimate, the company said another 455,000
customers who returned merchandise without receipts were robbed
of their driver's license numbers and other personal
information. That makes this the largest data breach in history,
some experts say.
In his
Daily Incite blog, Mike Rothman, president
and principal analyst of Security Incite in Atlanta, wrote that
a data breach disclosure doesn't have to be the end of the
company affected.
"If a compromised company aggressively communicates what
happened, what they are going to do for customers, and what they
are doing to make sure it doesn't happen again, they can certainly
recover," he said. "Those that stonewall customers [and] leave them
hanging out to dry and basically point the finger at someone else
don't fare as well."
He suggested that TJX's actions fall into the latter
category.
Security expert Adam Shostack doesn't mention TJX specifically
in his latest Emergent Chaos blog posting. But his synopsis
of a presentation he delivered at last week's Shmoocon conference
in Washington does offer some good food for thought.
His presentation,
"Security Breaches are Good for You,"
describes how data breaches can lead to better security going
forward.
"The reason that breaches are so important is that they provide
us with an objective and hard to manipulate data set which we can
use to look at the world. It's a basis for evidence in computer
security," he wrote. "Breaches offer a unique and new opportunity
to study what really goes wrong. They allow us to move beyond
purely qualitative arguments about how bad things are, or why they
are bad, and add quantification."
Time to update that blog
Moving on to another matter, those who follow the
blog of Oracle CSO Mary Ann Davidson will
notice that she hasn't updated it since Jan. 29. There are plenty
of good reasons why bloggers sometimes go for long stretches
without adding fresh posts. Most have day jobs and busy families
that can make it hard to blog daily, and Davidson obviously is a
very busy woman.
But here's what bothers me about her blog:
In her last posting she talks a lot about what was expected to
be a strong Oracle presence at the RSA conference in San Francisco.
Among other things, she beamed about the fact that her boss, CEO
Larry Ellison, would be delivering a keynote.
"We have a very dynamic CEO who is a great speaker and who
really Gets Security and has as long as I have been with the
company," she wrote. "So yes, I and all the other Oracle security
weenies I know are really thrilled that Larry is speaking and
nobody is going to miss this. You shouldn't, either."
The trouble is twofold -- one, the RSA conference was almost two
months ago. Two,
Ellison never showed up to deliver that
keynote.
Oracle has caught plenty of flack for
not being on top of its security game. To be
fair, the company has taken some encouraging steps in recent
months to improve the patching process for DBAs, including its
decision to
streamline the quarterly patch bulletin,
offer more details about its security holes and
even offer advance notice on upcoming
fixes.
But when the database giant's main security voice stays silent
for long periods of time and leaves her blog out of date, it
doesn't help to bolster the company's image.